What is least privilege access?
As one of the core tenants of zero trust, least privilege access is probably the least understood and the hardest to reach today. At the highest level, think of least privilege access as providing people – or identities more generally – the access they need to do a job, and for no longer than they need it. Operating on least privilege access allows companies to reduce the attack surface area of compromised identities and insider threats.
Least privilege for the modern workforce
As more and more identities move to the cloud, the threat to companies will be less about compromising machines and moving laterally on a network, and more about compromising identities and moving laterally in the cloud. Lateral movement is simply federating across applications boundaries or logging in with a local account in an environment. In this world, what an identity is allowed to do is the blast radius that the identity has to cause damage to your organization in the case of compromise. Reducing the standing footprint of unnecessary permissions and access that identities have is critical to reducing the potential risk of compromise.
If you have your SOC 2 certification, handle credit cards and deal with PCI, are in healthcare, or are a public company, then you also care about least privilege because you have to, from a regulatory standpoint. Almost every security-centric compliance framework mandates some level of controls and policies over identity and access management and typically references least privilege access control as an essential element of said program. As we all know, there is not always a perfect overlap between compliance and security, but the intention is good with these compliance regimes. They help drive a baseline discussion for companies to ensure that they have some minimal set of access control best practices in place.
What are the critical elements to achieving least privilege access?
To truly achieve least privilege access, you need to implement a handful of practices:
Get full visibility
You can’t fix what you don’t understand. The basis of securing any environment is to understand what is going on in the environment. Who has access to what, what roles and permissions exist, the relationship of access and entitlements, and so on are all critical questions that security needs to be able to answer in order to focus their efforts and achieve least privilege.
Conduct timely, contextual access reviews
Access reviews help to attenuate access and permissions that are no longer needed. Access reviews should not always just be conducted simply to meet compliance requirements. They should become a critical tool for your company to remove unnecessary access on a regular basis. To achieve this goal, access reviews should be more contextual (e.g. upon a significant role change) and occur on a more frequent and timely basis (sorry, no more yearly access reviews). This can be much easier said than done. Achieving contextual and timely access reviews necessitates investments in automation and several other best practices.
Move task-centric access to just-in-time
This is not practical for all access, but sensitive access that is task-centric should be time-bound or contextually provisioned. Just-in-time access provisioning controls moves access from a standing privilege and assumes, by default, that the user does not need the permission or access on a regular basis. It’s reasonable to think of this type of access almost as a “privileged action” escalation: a user must request access to elevated privileges in order to perform privileged actions (e.g. deploying product or troubleshooting a customer environment) and they are able to receive that access for a short period of time.
Get good at deprovisioning
Deprovisioning is hard. Due to the interwoven nature of directory groups that are frequently used for access control, deprovisioning can require understanding the root of the access grant, ensuring that deprovisioning that won’t interrupt other needed access, and then coordinating with whoever controls that resource to deprovision it. Understanding how access is granted, how it should be removed, and automating that process will help you get good at deprovisioning.
Conclusion
Achieving least privilege is a journey, not a destination. There will never be a world where your roles and permissions are perfectly right sized and all access is exactly what everyone needs for each minute that they work. That said, embarking on this journey is essential to build the muscles and practices necessary to improve your security. As with most security efforts, there is a diminishing return curve. But the good news is that the most significant gains can be made up front from incremental improvements to business processes and tooling.
For a deeper dive into seven principles for implementing least privilege access, check out the guide here.